MEGA Review

MEGA is a secure cloud storage service based in Auckland, New Zealand. The service was originally founded by infamous hacker and internet entrepreneur Kim Dotcom to provide secure cloud storage with end-to-end encryption. The service has a special open source license that permits the code to be used "for the purposes of review and commentary." This means that the source code for the service can be accessed and audited by any third party.

However, since it was first launched in 2013, Kim Dotcom parted ways with the company in 2015 after claiming that it was no longer secure. Mega Limited, MEGA’s parent company strongly denies that this is the case, and there appears to be no evidence to suspect Dotcom’s rumors were true. So, is this interesting storage service any good? And should you trust it to store your data?

Overview

MEGA is a popular secure cloud storage service that is currently used by approximately 150 million people. Its cloud storage is primarily designed to work as a web-based service, which means it is easy to store data online using the browser on any device. However, nowadays mobile apps are available for Android, iOS, and Windows phones. Extensions for popular browsers such as Firefox, Chrome, Safari, and Opera. And desktop versions for Mac and Windows exist.

MEGA has changed quite a bit since its inception when free users were permitted to store 50GB of data. However, users can still enjoy the service for free and they can store up to 15GB of data which is still generous considering you don’t have to pay. Most free cloud backup services only 5GB free storage, so this is excellent.

For anybody who wants more data storage, a number of different subscription plans are available ranging from $5.60 for a Lite Pro account, $11.20 for a Pro I account, $22.41 for a Pro II account, and $33.63 for a Pro III account. In the image below you can see how those differing price ranges provide different amounts of storage.

As you can see, users are able to store and transfer a certain amount of data depending on how much they pay. (The transfer quota is the amount of data you are permitted to transfer in a shared link and is designed to stop people abusing access to a file by sharing it in multiple locations online with numerous people). Free users get approximately 1GB of data transfer per day.

Other than the limits in the image above, there is no difference between the plans. MEGA also points out that while transfer limits change, transfer speeds remain the same across all free and paid subscription plans. However, it is worth noting that some people do complain of slow transfer speeds.

It is worth noting that in addition to 15GB of free storage, free users are able to participate in an achievements scheme that lets them earn more storage. For example, if you invite a friend to join MEGA you will receive an extra 10GB of free storage plus 20GB of transfer quota that is valid for 365 days. There are quite a few different rewards available, so it's worth checking it out by clicking the rocket icon in the top right of the web client.

This is a nice addition that encourages MEGA users to keep their accounts active. However, it is worth noting that if you use storage space provided for a limited time period to store something important, you could lose that data when the quota is revoked. In theory, that could be more trouble than it is worth.

It is also important to remember that MEGA reserves the right to delete all of your account’s data to free up space on its servers unless you keep your account active, but just how often you must log in to avoid this can be quite confusing. In its terms of service, MEGA clearly states that free users should be active at least every 3 months, however, the company told ProPrivacy that it doesn't begin sending warnings out until 8 months of inactivity and that the real risk of deletion comes after 12 months. Still, it's better to be safe than sorry if the data is important to you.

Finally, it is worth noting that the firm does not permit you to open multiple free accounts, and presumably, it monitors IP addresses to ascertain whether somebody is taking advantage of the service.

Features

MEGA has all the regular features you would expect from a secure cloud storage solution. However, it also has some unique extras. Here is a list of all its features:

Apps for all platforms and browser extensions.

Web client for access from any browser.

Share files with contacts in a fully encrypted state.

Create encrypted and password protected links to your files.

Preview photos and videos on the fly.

Versioning options for restoring a file to an older version.

Chat feature lets you send encrypted messages to other users

MEGAbird extension for Firefox email client; use Thunderbird to send large encrypted files.

MEGAcmd command-line application. This tool is available for Mac, Windows, or Linux. It allows users to navigate their MEGA account as if it were a local folder and allows them to make use of all of MEGA’s advanced features via a command-line interface.

Setup

Getting MEGA set up and working is easy. Simply head over to its website and create a free account to begin using the service. If you prefer to pay for a premium account, the option is there and you will be given the option to pay by credit or debit card. However, Paypal is not an option anymore. On the other hand, you can pay with Bitcoin, which is great.

Once you have paid you will receive an email asking you to confirm your account. After confirming via that email link you are ready to start using the service. Having to provide an email address isn’t perfect in terms of privacy. However, at least you do not need to provide a phone number to receive a validation code.

As soon as you have verified your account, you are given the option to either download the app or continue without it (by using the web interface). We downloaded the app because we wanted to test both. After clicking download we were invited to continue to the cloud drive too.

Clicking on “Take me to my Cloud Drive” results in you being prompted to store a downloadable recovery key. The key will allow you to recover your account if you forget your password. If you are comfortable that you will never forget the password; you do not really need the key. However, you may want to store it somewhere securely (such as in a secure password manager) just in case.

Ease of Use

Once you are in the cloud app, you are provided with various hints and tips to get you started. This wizard is useful for anybody who has never used a cloud storage service before, or for anybody that has problems getting to grips with new software.

However, even without these tips and tricks, we believe that MEGA is extremely easy to get used to and should not cause any problems for anybody who wants to begin storing images, videos, or other files online.

The Cloud Drive means that you can easily log in to the service from a browser, meaning that you can easily choose to use it to save files from any device. We decided to test the Windows and Android versions to get a sense of how the software differs.

We downloaded MEGAsync version 4.2.0 for Windows and found the installation to be flawless. Users are given the option to either do a full sync or a selective sync depending on their preference. This allows you to make only specific folders from the Cloud Drive available on the desktop software. We opted for a selective sync to see what the options looked like. We found that unless you have made various folders on the web client, you won’t have any choices to make.

In fact, it is worth noting that you will always need to arrange all your files and folders in the web client because this functionality is not available in the desktop software.

Clicking on the cog in the top right allows you to upload or download files from your Cloud Drive. The only slight hitch with this functionality is that we had to click on the files we wanted to upload within the window (we could not search for them). This could become annoying if you are having to scroll through a very large folder of files.

Sharing folders is extremely easy. To do so, you simply right click on the folder you want to share and select sharing. Here, you can enter an email address to pass the folder to a contact of your choice.

Files can be shared with a link. These can either be shared with an encryption key or shared without the key (meaning that you will have to share it privately with any contact you want to share a file with). Linking with the key attached will cause a warning to be displayed recommending that users send the key directly.

Links can be set to last for only a selected period, and users can opt to password protect the link too. When you first attempt to create a link, users are asked to agree not to share links to copyrighted content.

Having created the link you can simply share it with anyone, and as long as they have the key and the password they can decrypt it and access the file. We found all aspects of using MEGA to upload, download, store, share, and link extremely easy.

Down the left-hand side of the Cloud Drive client, users can access their drive, recent folders, shared items, and the chat client. Sadly, we had no fellow MEGA users to chat to, but the feature looks great from a quick glance.

Overall, this is definitely a service that is ideal for beginners looking for a secure cloud storage service that is compatible with all their devices, provides syncing, and permits file sharing without having to learn anything complicated. In our opinion, MEGA provides an excellent balance between workflow/productivity and privacy. We found no real difference in functionality across the versions we used, which means there is not a distinct learning curve across the apps.

One thing worth bearing in mind is that the extensions don’t offer any obvious functionality themselves, they just open MEGA in your browser. We asked the firm to clear up exactly why it is worth using the extension and they told us:

“MEGA extension will allow you to install MEGA into your browser. It will reduce loading times, improve download performance and strengthen security. Any MEGA URL will be captured by this extension and stay local (no JavaScript will be loaded from our servers). Secure auto-updates are provided thanks to cryptographic private key signing.

MEGA is more secure using the extension(s) because the web resources (JS/html) are loaded locally from within the extension itself, and therefore that prevents any possible MITM attack.

Another good reason to use MEGA extension is that it will allow you to transfer larger files within the browser. Otherwise, the internal memory provided by the browser is very limited for file transfers.”

Privacy

Mega is a secure cloud storage service that operates with zero-knowledge of people’s encryption keys. In such a service all documents are encrypted locally using a key that is never shared with MEGA. As a result of retaining full control over the encryption of their data, users never need to worry about their data being intercepted in transit or while at rest.

However, a side effect of this security is that users can never recover their account. Mega makes it clear that if users forget their password they will lose access to their account.

In its Terms of Service, the firm is quick to remind users that they must protect not only their password but also access to their devices:

“You should keep your password and Recovery Key safe and confidential. You must not share your password with anyone else and should not release encryption keys to anyone else unless you wish them to have access to your data. If you lose or misplace your password, you will lose access to your data. Encryption won’t help though if someone has full access to your system or device.

“We strongly urge you to use best practices for ensuring the safety and security of your system and devices (e.g. via unique passwords, security upgrades, firewall protection, anti-virus software, securing and encrypting your devices). Mega will never send you emails asking for your password or suggesting that you click a link to login to your account, so do not be fooled by any such email since it will not be from us.”

MEGA’s ToS also clearly state that all users retain full ownership of their data:

“You own, or undertake that you are authorized to use, any intellectual property in any data you store on, use, download, upload, share, access, transmit or otherwise make available to or from, our systems or using our services. You grant us a worldwide, royalty-free license to use, store, back-up, copy, transmit, distribute, communicate, modify and otherwise make available, your data, solely for the purposes of enabling you and those you give access to, to use our services and for any other purpose related to provision of the services to you and them.”

MEGA will comply with takedown notices and will work with law enforcement if it believes infringing or copyrighted content is being stored or disseminated via its servers. However, because all your data is transmitted and stored in encrypted form, it is theoretically impossible for MEGA to access the contents of your data unless a contact you have shared a file with (and provided an encryption key for) also passes that encryption key to MEGA.

We checked the firm’s privacy policy and were happy to find that it was written in a GDPR compliant manner. However, we also discovered that although files are stored with end-to-end encryption, some metadata about files is passed to MEGA in an unencrypted format.

The firm claims that this metadata “does not disclose the content or information that the file contains.” Despite this, some users may be annoyed by this level of data collection, because that metadata contains your:

Browser type and operating system, IP address and port information, API usage, file uploads, folder creations and link exports, the country that they believe you are accessing their services from, file sizes, versioning order, timestamps and parent-child file relationships, deletion timestamps, the email address of anyone you make af contact using Mega's systems, contact email addresses of chat participants, as well as chat commencement time and chat duration.

MEGA publishes a transparency report which shows exactly how many takedown requests it is having to deal with for copyright or criminal reasons. Again, it is worth noting that it is impossible for MEGA to enact takedown requests unless the user has published or provided the encryption key themselves (or it is provided by a third party with whom you have shared the key with).

However, it is also worth noting that MEGA has received criticism in the past for deleting people’s files after receiving a takedown notice; even though those files were not copyrighted content. According to the reports, this happened after links to files (genuinely owned by the users) were placed online.

Security

All communication with MEGA servers is secured using TLS/SSL. We checked MEGA using Qualys SSL labs and the service received an -A which is a pretty good score (and means that data should be secure in transit).

MEGA subscriber’s passwords are hashed with the PBKDF2 derivation function using SHA256. A random Master Key 128 bits (16 Bytes) in length is created using the client’s native CSPRNG. For added security 128 bits of random salt is also produced.

Following that, the first time that a user logs in the following encryption keys are also automatically generated:

An RSA key pair, 2048 bits (used for sharing folders/files).

An Ed25519 key pair, 256 bits (used as the trust root for user fingerprint verification and signing of other keys. This key pair are referred to as the Signature Keys).

A Curve25519 key pair, 256 bits (used for MEGAchat).

Those private keys are encrypted by the user’s Master Key using AES-ECB and stored by the API. MEGA never has access to plaintext private keys at any time in the process.

MEGA also provides access to Two Factor Authentication via authenticator apps such a Google Authenticator.

Files and folders are encrypted using a AES-128, which should be secure long into the future (using currently known methods). Post-download or upload integrity checking is done through a chunked variation of CCM.

Link files are protected using PBKDF2-HMAC-SHA512 with 100,000 rounds and a 256-bits of random salt and the user’s password to obtain a 512-bit Derived Key.

Any time that a user wants to share data with another user, they must encrypt the required encryption keys with the recipient’s public key before transmitting the file. The identity of the recipient can be checked by verifying their key fingerprints through an independent channel.

It is worth noting that because the browser-based client uses Javascript for all encryption, decryption, and key generation - it is subject to some known vulnerabilities including man-in-the-middle attacks caused by forcing keys on the user. Users who are paranoid about browser-based Javascript vulnerabilities should stick to using the desktop, mobile apps, and extensions.

Overall, the cryptographic principles employed by MEGA’s end-to-end encryption are sound, which means that users should be able to enjoy high levels of privacy and security using the service.

Customer service

MEGA users can raise concerns or ask questions from within the client by navigating to the settings menu in the top right, followed by “Get support”. Here users can open a ticket based on their problem.

Users are given the options: General Enquiry, Technical Support, Payment Issue, Forgotten Password, Transfer Issue, Contact/Sharing Issue, MEGAsync Issue, or Missing/Invisible Data. Once a ticket is raised, users will receive an answer to their questions in an email. We found replies to come quickly, never having to wait longer than an hour or two. However, depending on the level of question you ask you may have to go back and forth a number of times to get exactly what you need.

In addition, users can browse a Blog section with lots of well-written articles pertaining to aspects of the service. These entries are archived into years to make them easier to browse. Users also get access to a vast FAQ section with answers to many questions about the various clients, extensions, and features. All of these support features are well presented, and allow users to quickly get answers to any questions they are looking for.

Overall, we found customer support with MEGA to be well above average, and the firm certainly provides a lot of details (in terms of techy aspects of the service such as encryption levels) on its website, which is great.

Conclusion

When it comes to finding a password manager that is both secure but also user-friendly, the task is not always easy. However, due to the way that MEGA is put together, it really is a doddle to use. And, if you are one of those people who often need to share files with friends and family - MEGA really does make it extremely easy to do it both securely and privately.

On the other hand, the fact that people have had legitimate files flagged up as pirated content and deleted is quite concerning, especially if you rely on the service to securely store your valuable intellectual property (think digital artists, musicians, developers, videographers etc).

The fact that this service provides excellent customer service is a plus, and with 50 GB of storage for free users, this really is one of the best deals we have ever seen. And, because MEGA is open source and is freely available to read on github it is one of the few cloud service providers that can be thoroughly audited to ensure it really does provide end-to-end encryption.

While there was an incident in 2018 where 15,500 user passwords and names were dumped online - it seems likely that these were due to phishing and credential stuffing rather than any mistake on the part of MEGA.

Of course, you do have the rumors started by Kim Dotcom to worry about, but in fairness, there is nothing of substance to back up Dotcom’s claims. Thus, it is hard to take those criticisms to heart. Of course, it all depends on your personal threat model and who you decide to believe. However, it seems to us that MEGA is above board. So, if you need lots of free cloud storage with strong encryption; this might be the service for you.

James Thomas
replied to Mike

Hi
I am a lifetime subscriber of Icedrive and would like to share my thoughts on it.
I would like to point out that Icedrive offers only 10GB free space now for new accounts. (Before it was 20GB)
They have a very long way to go to reach anywhere near the big guys like Onedrive, Google Drive, Dropbox and pCloud.
There are lots of basic function issues they need to fix.
Folder downloading is not possible on Icedrive, which is a huge problem.
Not possible to see folder details. (When you upload lots of files, most times the progress bar hangs and stops at some random percentage. So you’re not sure if all the files are uploaded or not. And without any option to check the folder details its headache at times)
When you try to rename files & folders, it won’t allow at times, may allow after you try multiple times.
Encrypted file option is good. But there are some issues in that too.
I know, they have only started this year.
But with lots of technical issues I don’t recommend them to be your main cloud storage.
They would require atleast one year more to stabilize every basic operations and run smoothly.
It’s good for your mobile backups (photos & videos) which are not that important.
But I DO NOT recommend them to store your important documents.
I think they have to reconsider their prices too, atleast until they gain more customers.
1 TB lifetime plan on Icedrive is 150$
2 TB plan on pCloud is 350$ which makes their 1 TB 175$ (though they do not have 1 TB plan, but still that’s what their plan value is)
And they always give offers too, like I got my 2TB LT pCloud plan for 245$, which makes 1 TB just 122.5$ which is cheaper than the IceDrive.
With crypto LT subscription my 1 TB pCloud plan values at 185$. Just 35$ more than Icedrive.
I would definitely go with pCloud as my primary backup solution as they are already established cloud providers.
Icedrive looks cool, their customer support is good and they are trying very hard to make a name in the competitive world of online storage solutions.
But when you need to trust you personal and sensitive documents its always better to choose the best out there.